Skip to content to Google Cloud Security Command Center Bridge
Python Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
test-requirements.txt -> Google Cloud Security Command Center

This tool is designed to consume vulnerability data, transform that data into the Google Security Command Center format, and then upload the resulting data into Google Security Command Center.

The tool can be run as either as a one-shot ingest or as a continuous service.

Requirements for use

  • API Keys for a service account in that can use the Exports API (Generally an Admin User)
  • Service Account within Google Cloud that has the required permissions to edit findings and state (Security Center Findings Editor, and Security Center Findings State Setter roles).
  • A host to run the script on that can run a Python 3.x environment. As this bridge talks cloud-to-cloud, where it is located does not matter.


pip install tenable-cscc


  1. Add the CSCC Service from the Marketplace
  2. Copy the source id that was generated (we will use this later)
  3. Create a service key for the account that was created
  4. Create a new VM Instance to store the integration (Debian 9)
  5. Download the installation script: curl -o
  6. Run the installer chmod 755 && sudo ./
  7. Copy the service key onto the host (such as /etc/google-account.json).
  8. Update the variables within the /etc/tenable-cscc.conf file.
  9. Start the service sudo systemctl start tenable-cscc


The following below details both the command-line arguments as well as the equivalent environment variables.

Usage: tenable-cscc [OPTIONS] -> Google Cloud Security Command Center Bridge

  --tio-access-key TEXT  Access Key
  --tio-secret-key TEXT  Secret Key
  -b, --batch-size INTEGER        Export/Import Batch Sizing
  -v, --verbose                   Logging Verbosity
  -s, --observed-since INTEGER    The unix timestamp of the age threshold
  -r, --run-every INTEGER         How many hours between recurring imports
  -t, --threads INTEGER           How many concurrent threads to run for the
  -s, --service-account-file PATH
  -i, --service-id TEXT           The GCP CSCC Source ID
  --help                          Show this message and exit.


Run the import once:

tenable-cscc                                    \
    --tio-access-key {TIO_ACCESS_KEY}           \
    --tio-secret-key {TIO_SECRET_KEY}           \
    --service-account-file {SA_JSON_FILENAME}   \
    --org-id {ORG_ID}

Run the import once an hour:

tenable-cscc                                    \
    --tio-access-key {TIO_ACCESS_KEY}           \
    --tio-secret-key {TIO_SECRET_KEY}           \
    --service-account-file {SA_JSON_FILENAME}   \
    --org-id {ORG_ID}
    --run-every 1



You can’t perform that action at this time.